Results 1 to 4 of 4

Thread: Ldap: Ssh & pam

  1. #1
    Join Date
    Oct 2012
    Beans
    2

    Ldap: Ssh & pam

    I'm trying to set up a Ubuntu Server 12.04 in order user to login using credentials coming from ActiveDirectory.

    I've followed this guide: https://help.ubuntu.com/community/LD...Authentication but in the end I failed to make it works.

    The problem I experiencing is that pam tries to bind the user against LDAP server making a bindRequest, but if the user is not already a local account, "INCORRECT" password is sent to LDAP server instead of the password provided by the user, failing of course the authentication. (I sniffed the packet using tshark).
    On the contrary, if the user is already local (previously added with useradd command), the password is sent correctly and the authentication is made successfully.

    This is the auth.log
    Code:
    Oct 31 14:10:49 taiba sshd[6620]: Invalid user XXXXXX from 10.XXX.XX.XX
    Oct 31 14:10:49 taiba sshd[6620]: input_userauth_request: invalid user XXXXXX [preauth]
    Oct 31 14:10:52 taiba sshd[6620]: pam_ldap: error trying to bind as user "XXXX" (Invalid credentials)
    Oct 31 14:10:52 taiba sshd[6620]: pam_unix(sshd:auth): check pass; user unknown
    Oct 31 14:10:52 taiba sshd[6620]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXXX 
    Oct 31 14:10:52 taiba sshd[6620]: pam_ldap: error trying to bind as user "XXXXXXX" (Invalid credentials)
    Oct 31 14:10:54 taiba sshd[6620]: Failed password for invalid user XXXXXX from 10.XXX.XX.XX port 51831 ssh2
    So I realized that the problem is when the account is not present.

    Does anyone have a suggestion of what I have to change o modify in order to solve this problem? I can post the content of conf files you think could be useful.

    Thank you and best regards

  2. #2
    Join Date
    Oct 2012
    Beans
    2

    Re: Ldap: Ssh & pam

    Does anyone have an idea where I can look for a solution?

  3. #3
    Join Date
    Sep 2010
    Location
    Indian Capital City
    Beans
    915
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Ldap: Ssh & pam

    14:10:49 taiba sshd[6620]: Invalid user XXXXXX from 10.XXX.XX.XX
    Does 'id' command for the LDAP username work on your system ?
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth !!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Mark it [SOLVED] if the issue has been resolved

  4. #4
    Join Date
    Nov 2008
    Location
    S.H.I.E.L.D. 6-1-6
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Ldap: Ssh & pam

    Quote Originally Posted by Scarex View Post
    I'm trying to set up a Ubuntu Server 12.04 in order user to login using credentials coming from ActiveDirectory.

    I've followed this guide: https://help.ubuntu.com/community/LD...Authentication but in the end I failed to make it works.

    The problem I experiencing is that pam tries to bind the user against LDAP server making a bindRequest, but if the user is not already a local account, "INCORRECT" password is sent to LDAP server instead of the password provided by the user, failing of course the authentication. (I sniffed the packet using tshark).
    On the contrary, if the user is already local (previously added with useradd command), the password is sent correctly and the authentication is made successfully.

    This is the auth.log
    Code:
    Oct 31 14:10:49 taiba sshd[6620]: Invalid user XXXXXX from 10.XXX.XX.XX
    Oct 31 14:10:49 taiba sshd[6620]: input_userauth_request: invalid user XXXXXX [preauth]
    Oct 31 14:10:52 taiba sshd[6620]: pam_ldap: error trying to bind as user "XXXX" (Invalid credentials)
    Oct 31 14:10:52 taiba sshd[6620]: pam_unix(sshd:auth): check pass; user unknown
    Oct 31 14:10:52 taiba sshd[6620]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXXX 
    Oct 31 14:10:52 taiba sshd[6620]: pam_ldap: error trying to bind as user "XXXXXXX" (Invalid credentials)
    Oct 31 14:10:54 taiba sshd[6620]: Failed password for invalid user XXXXXX from 10.XXX.XX.XX port 51831 ssh2
    So I realized that the problem is when the account is not present.

    Does anyone have a suggestion of what I have to change o modify in order to solve this problem? I can post the content of conf files you think could be useful.

    Thank you and best regards
    does the server require a bindpw by any chance?
    Don't waste your energy trying to change opinions ... Do your thing, and don't care if they like it.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •